Millions of Veterans at Risk of Identity Fraud Following Data Theft
[Sorry, the video for this story has expired, but you can still read the transcript below. ]
RAY SUAREZ: The identities of 26.5 million U.S. veterans are at risk after thieves stole electronic files from a Veterans Affairs employee’s house outside Washington May 3rd. The data includes Social Security numbers and birth dates, enough information to commit fraud.
MARK RASCH, Security Expert: If I have your name, your date of birth, and your Social Security number, I can become you for establishing credit, for getting credit cards, for opening bank accounts.
RAY SUAREZ: The theft, which was announced yesterday, represents the largest unauthorized disclosure of Social Security information so far. Most of the files were of veterans who served and have been discharged since 1975. The federal government has launched an investigation into the theft.
Attorney General Alberto Gonzales spoke to reporters today.
ALBERTO GONZALES, U.S. Attorney General: We have no reason to believe that people understand — that the thieves understand what kind of information that they have and whether or not they’ve taken advantage of that. We don’t know whether or not they’ve thrown away the information.
RAY SUAREZ: The V.A. employee who took the files home has been put on leave. Some veterans said that’s not enough.
PAT TORO, Veteran: As a former detective, OK, I’m very concerned, because I know what can be done with the information.
MIKE HICKEY, Veteran: You know, identity theft, wind up with a bunch of bills or God knows what. I’m not really sure what they would do with the information other than rob people.
RAY SUAREZ: The V.A. theft is the latest in a series of high-profile identity theft cases. In February 2005, Bank of America announced it lost computer files with the personal information of 1.2 million federal employees. And in 2004, ChoicePoint, an Atlanta company that collects and sells personal information, revealed thieves gained access to its information on some 145,000 people nationwide.
Expecting the worst-case scenario
RAY SUAREZ: For more, I'm joined by Evan Hendricks, editor and publisher of the Privacy Times newsletter and author of the book "Credit Scores and Credit Reports: How the System Really Works and What You Can Do."
And Lynn McNulty, former associate director for computer security at the government's National Institute for Standards and Technology. He's now a private consultant in the information security field.
Evan Hendricks, let's start with you, and let's start with the moment that laptop is stolen from a government employee's home. What are the possible consequences of that much data being lost?
EVAN HENDRICKS, Editor, Privacy Times: That the thieves -- if the first thieves don't use it, they'll sell it to other thieves, maybe through a fence, and it's very possible someone along the chain could wake up and say, "We're sitting on a gold mine of information."
"We can use this information to apply for credit in the names of these veterans, using their names and Social Security numbers. And if we or any of our cohorts get caught committing crimes, we can provide these identities so that creates criminal records for those people."
That's some of the worst-case scenarios.
RAY SUAREZ: Now, as we heard the attorney general say, there's no indication yet that the people who stole this information, in fact, know what they have. But as long as that hard drive's out there, does it remain dangerous?
EVAN HENDRICKS: Yes, there's no reason to panic, but there's every reason to be concerned. And one of the things that the attorney general needs to understand is that -- time has evolved, and the prisoners are talking to each other about this in prison, about, "What are you in for?" "Burglary." "Well, why did you do burglary when you could have done identity theft?"
So there's growing consciousness through them, through the methamphetamine gangs, through some foreign national gangs, and other parts of the criminal world that this is where the money is.
Protection from the inside
RAY SUAREZ: Lynn McNulty, this all began when someone, who wanted to do some work at home, left with information that they shouldn't have left the V.A. with. How does this happen? How could somebody dump such a huge trove of information onto their own gear?
LYNN MCNULTY, Information Security Consultant: Well, the technology is allowing people to do that, to pack more and more data onto smaller and smaller recording devices, whether it's a thumb drive, a laptop with additional storage on it, or a computer disc and walk out the door with it, easily concealed, particularly in an environment where -- not in a national security environment, people are very seldom challenged when they take things out of the office that might have millions and millions of names and Social Security numbers on it.
RAY SUAREZ: Well, you go to a government building, and people are walking in and out all day. So where do you start to build the safeguards that would make this kind of inadvertent loss impossible or less possible?
LYNN MCNULTY: Well, in the security field over the last, say, five, six, seven, eight years, we have focused on building perimeter security defenses against the external hacker threat or the external intruder.
The insider threat I don't believe has received as sufficient attention as it warrants, because it's the insiders that ultimately can cause catastrophic losses to organizations, whether they're government or private-sector organizations.
And so I think we have a mindset that says that it's the hacker, the individual sitting in the Ukraine that's trying to penetrate our systems, that is the real problem, when we need to also focus on the authorized user or the insider and what he or she can do from their consoles.
RAY SUAREZ: Well, isn't the whole momentum of technological change kind of in the other direction, to make it easier to copy things from place to place and move things from place to place? Doesn't that make the security job that much harder?
LYNN MCNULTY: You have just framed the fundamental security dilemma that people in the security profession face these days, is they are continually confronting technology challenges caused by advances in technology, smaller and smaller devices that can record a lot of information and that are very, very portable and how they can walk out the door.
And there's a continual arms race versus the technologist versus how people can either deliberately or inadvertently exploit those technologies for unauthorized purposes.
Who shoulders the burden?
RAY SUAREZ: Well, as the Lynn McNultys of the world are trying to build a technical architecture to protect this data, is there a legal one? Is there enough safeguard built into the law to slow down or stop this type of thing?
EVAN HENDRICKS: Clearly not enough, because the law already requires -- the Privacy Act requires the Veterans Administration to take the appropriate technical and administrative steps to safeguard this information, but that law is not self-enforcing.
There's not great oversight of it within the executive branch. You don't have a good private right of action to bring suit. And so it's a right without a remedy.
So the law needs to be strengthened so that all entities that are handling very sensitive information have a much stronger duty to protect it. That's the thing that's going to get their attention.
And what also -- and that will help bring about what's really needed, is a culture change, so people understand this is part of their consciousness. In the security agencies, Defense Department, those people handle classified data and know darn well they have to protect it. That culture has not yet migrated to the handling of our personal information, and it's a question of how good our policy is to speed that along.
RAY SUAREZ: Well, what is the difference or is there a difference between the way information is handled in the commercial world, where people are sort of surrendering some of their personal information to get things in return -- easy credit, credit cards approval in the same day, and that sort of thing -- versus government information, which often you're compelled to give?
EVAN HENDRICKS: Veterans had to give this information to qualify for the disability payments. They understand that. The tradeoff is there's a law that says the Veterans Administration is supposed to protect the information.
They've completely let down the veterans on that subject matter, and now all these millions of veterans have the burden of making sure they're monitoring their credit reports and their financial data for years to come, because that's how long the threat will continue.
RAY SUAREZ: So you would suggest to someone who's in that list of 26.5 million names not to trust that the federal government will watch their backs. They should do it for themselves?
EVAN HENDRICKS: Yes, because the laws are not as advanced as they need to be to protect consumers, the burden's on the individual.
There's one new law that's coming out of some of the states -- 12 so far -- that allows you to put a freeze on your credit report, and that stops the key moment when you make sure your credit report isn't disclosed when the fraudsters are applying for credit in your name.
So I'm urging veterans to freeze their credit reports. And even if they're in a state that doesn't allow them that right by law yet, to still ask for it and force the credit bureaus to say, "Sure, you risked your life for our country, but we know we can't freeze your credit report."
Preventing another accident
RAY SUAREZ: Well, Lynn McNulty, let's talk about some of the technical answers, some of the possible remedies to this kind of thing happening. What are they?
LYNN MCNULTY: Well, there's a broad spectrum of technical remedies. One remedy that everybody always brings up when you have this kind of data loss as a result of a stolen laptop or a thumb drive is to force information that is sensitive, that was placed on these to be encrypted, so that, if somebody does steal a laptop or a drive, there's no way that anybody can make sense out of the information. It's scrambled or otherwise rendered unreadable.
There's also advanced authentication technologies. We're far beyond a place where a password is appropriate now for using access to a terminal. The old joke in the security world is that if you give somebody a password, they're going to write it on a Post-it note and probably stick it to their computer terminal.
So that's not good enough. We need something that somebody has -- a token, or some other kind -- a biometric device, so that you can restrict access to a device.
There's also ways to better auditing or monitoring of what people do. The fact that somebody was able to offload a national database onto their personal storage device should not happen. There should be some alarm; some bell should go off when somebody is migrating that much information, 27 million records on veterans, to a removable storage device.
RAY SUAREZ: It sounds like what you're saying isn't very expensive or complicated to do.
LYNN MCNULTY: Well, it is. There's a life-cycle to security costs: the installation costs, the maintenance cost.
First of all, it takes management will. It takes will on the part of people that are making decisions that we're going to spend the money on this problem to protect information. Then, there's also an installation cost, and you have to maintain it and enforce the technology there.
And finally, you have to communicate what your security expectations are to the people that are using the data and also to the people that are safeguarding and using the data in their day-to-day positions.
And, obviously, in this case, the individual at the V.A. far exceeded any authorized policy or procedure by taking this huge volume of information out the door into their personal residence.
RAY SUAREZ: Lynn McNulty, Evan Hendricks, gentlemen, thank you both.